Exploit Database

146,695 exploits tracked across all sources.

Sort: Activity Stars
CVE-2018-17179 WRITEUP CRITICAL
OpenEMR < 5.0.1.7 - SQL Injection via taskman.php
An issue was discovered in OpenEMR before 5.0.1 Patch 7. There is SQL Injection in the make_task function in /interface/forms/eye_mag/php/taskman_functions.php via /interface/forms/eye_mag/taskman.php.
CVSS 9.8
CVE-2018-17182 WRITEUP HIGH
Linux kernel <4.18.8 - Use After Free
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.
CVSS 7.8
CVE-2018-17240 WRITEUP HIGH
Netwave IP Camera - Info Disclosure
There is a memory dump vulnerability on Netwave IP camera devices at //proc/kcore that allows an unauthenticated attacker to exfiltrate sensitive information from the network configuration (e.g., username and password).
CVSS 7.5
CVE-2018-17418 WRITEUP HIGH
Monstra CMS 3.0.4 - Remote Code Execution via Mixed-Case File Extension Bypass
Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbidden_types variable.
CVSS 7.2
CVE-2018-17431 WRITEUP CRITICAL
Comodo Unified Threat Management Firewall < 2.7.0 - Unauthenticated Remote Code Execution
Web Console in Comodo UTM Firewall before 2.7.0 allows remote attackers to execute arbitrary code without authentication via a crafted URL.
CVSS 9.8
CVE-2018-17456 WRITEUP CRITICAL
Malicious Git HTTP Server For CVE-2018-17456
Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
CVSS 9.8
CVE-2018-17538 WRITEUP CRITICAL
Axon Evidence Sync <3.15.89 - Code Injection
Axon (formerly TASER International) Evidence Sync 3.15.89 is vulnerable to process injection. NOTE: the vendor's position is that this CVE is not associated with information that supports any finding of any type of vulnerability
CVSS 9.8
CVE-2018-17552 WRITEUP CRITICAL
Naviwebs Navigate CMS 2.8 - SQL Injection
SQL Injection in login.php in Naviwebs Navigate CMS 2.8 allows remote attackers to bypass authentication via the navigate-user cookie.
CVSS 9.8
CVE-2018-17553 WRITEUP HIGH
Navigate CMS 2.8 - Authenticated Remote Code Execution via Directory Traversal in navigate_upload.php
An "Unrestricted Upload of File with Dangerous Type" issue with directory traversal in navigate_upload.php in Naviwebs Navigate CMS 2.8 allows authenticated attackers to achieve remote code execution via a POST request with engine=picnik and id=../../../navigate_info.php.
CVSS 8.8
CVE-2019-16531 WRITEUP HIGH
LayerBB < 1.1.4 - Cross-Site Request Forgery via Admin General Settings
LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by changing the System Settings via admin/general.php.
CVSS 8.8
CVE-2019-16531 WRITEUP HIGH
LayerBB < 1.1.4 - Cross-Site Request Forgery via Admin General Settings
LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by changing the System Settings via admin/general.php.
CVSS 8.8
CVE-2018-17997 WRITEUP MEDIUM
LayerBB 1.1.1 - Stored Cross-Site Scripting via Conversation Title
LayerBB 1.1.1 allows XSS via the titles of conversations (PMs).
CVSS 6.1
CVE-2018-17996 WRITEUP MEDIUM
LayerBB < 1.1.3 - Cross-Site Request Forgery via Admin and Moderator Endpoints
LayerBB before 1.1.3 allows CSRF for adding a user via admin/new_user.php, deleting a user via admin/members.php/delete_user/, and deleting content via mod/delete.php/.
CVSS 6.5
CVE-2018-17996 WRITEUP MEDIUM
LayerBB < 1.1.3 - Cross-Site Request Forgery via Admin and Moderator Endpoints
LayerBB before 1.1.3 allows CSRF for adding a user via admin/new_user.php, deleting a user via admin/members.php/delete_user/, and deleting content via mod/delete.php/.
CVSS 6.5
CVE-2018-17988 WRITEUP CRITICAL
LayerBB 1.1.1 and 1.1.3 - SQL Injection via search.php search_query Parameter
LayerBB 1.1.1 and 1.1.3 has SQL Injection via the search.php search_query parameter.
CVSS 9.8
CVE-2018-18021 WRITEUP HIGH
Linux Kernel < 4.18.12 - Unauthenticated Denial of Service and Control Flow Hijack via KVM_SET_ON_REG ioctl
arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by attackers who can create virtual machines. An attacker can arbitrarily redirect the hypervisor flow of control (with full register control). An attacker can also cause a denial of service (hypervisor panic) via an illegal exception return. This occurs because of insufficient restrictions on userspace access to the core register file, and because PSTATE.M validation does not prevent unintended execution modes.
CVSS 7.1
CVE-2018-18307 WRITEUP MEDIUM
AlchemyCMS 4.1.0 - Stored Cross-Site Scripting via Admin Pictures Image Field
A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field. NOTE: the vendor's position is that this is not a valid report: "The researcher used an authorized cookie to perform the request to a password-protected route. Without that session cookie, the request would have been rejected as unauthorized."
CVSS 6.1
CVE-2018-18308 WRITEUP MEDIUM
BigTree CMS 4.2.23 - Stored Cross-Site Scripting in Image Upload Area
In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area).
CVSS 6.1
CVE-2018-18380 WRITEUP MEDIUM
BigTree CMS < 4.2.24 - Session Fixation via admin.php
A Session Fixation issue was discovered in Bigtree before 4.2.24. admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session.
CVSS 5.4
CVE-2018-18435 WRITEUP HIGH
kioware_server < 4.9.6 - Unauthenticated Privilege Escalation via Weak Directory Permissions
KioWare Server version 4.9.6 and older installs by default to "C:\kioware_com" with weak folder permissions granting any user full permission "Everyone: (F)" to the contents of the directory and it's sub-folders. In addition, the program installs a service called "KWSService" which runs as "Localsystem", this will allow any user to escalate privileges to "NT AUTHORITY\SYSTEM" by substituting the service's binary with a malicious one.
CVSS 7.8
CVE-2018-18509 WRITEUP MEDIUM
Thunderbird < 60.5.1 - Improper Verification of Cryptographic Signature
A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1.
CVSS 5.3
CVE-2018-18557 WRITEUP HIGH
LibTIFF 3.9.3-4.0.9 - Out-of-bounds Write in JBIG Decoder
LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.
CVSS 8.8
CVE-2018-18557 WRITEUP HIGH
LibTIFF 3.9.3-4.0.9 - Out-of-bounds Write in JBIG Decoder
LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.
CVSS 8.8
CVE-2018-18748 WRITEUP CRITICAL
Sandboxie 5.26 - Sandbox Escape via Python File Import
Sandboxie 5.26 allows a Sandbox Escape via an "import os" statement, followed by os.system("cmd") or os.system("powershell"), within a .py file. NOTE: the vendor disputes this issue because the observed behavior is consistent with the product's intended functionality
CVSS 10.0
CVE-2018-18751 WRITEUP CRITICAL
GNU gettext 0.19.8 - Use-After-Free in po_gram_parse
An issue was discovered in GNU gettext 0.19.8. There is a double free in default_add_message in read-catalog.c, related to an invalid free in po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt.
CVSS 9.8